Skip to content

Comments

Policy: Support NPDS rules with pass verdicts#1754

Open
jrajahalme wants to merge 9 commits intomainfrom
policy-pass-verdict-support-2
Open

Policy: Support NPDS rules with pass verdicts#1754
jrajahalme wants to merge 9 commits intomainfrom
policy-pass-verdict-support-2

Conversation

@jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Feb 16, 2026
edited
Loading

Add support for NPDS pass verdicts by promoting the precedence of passed-to rules to follow that of the pass verdict rule. NPDS add a new pass_precedence field that specifies the precedence up-to which rules are ignored if the pass rule matches. pass_precedence is mutually exclusive with the deny field. Pass verdict rules can not have any L7 (e.g., HTTP) rules, as the match is solely done on the port range and the remote security identities (L3/4).

Fix precedence handling between wildcard and specific match port rules by distributing wildcard port rules to the rulesets of specific port ranges. This is cheap since the rules are referred to via shared pointers and allows to keep the logic as simple as possible.

Refactor with C++20 ranges for readability.

@jrajahalme jrajahalme requested a review from a team as a code owner February 16, 2026 19:29
@jrajahalme jrajahalme marked this pull request as draft February 16, 2026 19:29
@jrajahalme jrajahalme removed the request for review from mhofstetter February 16, 2026 19:29
@jrajahalme
tidy: Fix clang tidy
6c9e6cd 
Ran make tidy-fix locally, hopefully CI agrees.

Added new make target tidy-fix-head that checks and fixes only the files
modified in the HEAD commit.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Limit proxy_id to 16 bits
c5ae33f 
Proxy ID is really a port number, so we can safely limit it to 16 bits.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Make PortNetworkPolicyRule copyable
48b1e37 
Pass verdict handling needs to make copies of
PortNetworkPolicyRules. Change the unique pointers to a shared pointers
to allow for this.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
api: Add support for pass verdict
7871ee3 
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Parse pass_precedence
d844ad0 
Parse the new pass_precedence field.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Add isRemoteWildcard()
73223e2 
Improve readability with the new isRemoteWildcard helper.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Add support for pass verdict
83f5b22 
Pre-process policy rules with pass verdicts on on policy updates. This
involves promoting the precedence of lower tier rules based on the pass
verdicts on higher tiers. Depending on the remote identities being
matched, the lower tier rule may need to be split up to different sets of
remote identities, or if remotes match exactly then the whole rule can be
promoted to the higher tier.

Splitting up, as reqiuired, increases the number of rules. We counter
this by keeping track of "shadowed" identities of higher tier rules, both
within a tier and between tiers, and eliminate rules that can not be
matched when they become completely shadowed.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch 2 times, most recently from b501309 to 69d3e50 Compare February 18, 2026 20:56
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch from 69d3e50 to 032880a Compare February 24, 2026 09:38
@jrajahalme jrajahalme marked this pull request as ready for review February 24, 2026 09:38
@jrajahalme
policy: Fix precedence between wildcard port and specific port rule
1c413a7 
We only looked for wildcard port match if a specific port did not find
any matches. Fix this by distributing wildcard port rules to all explicit
port (range) rules so that they are checked in the right precedence
order. This is cheap as they are referred to by a shared pointer, so no
copies of the actual PortNetworkPolicyRule's are made.

Refactor policy lookups to return a RuleVerdict type.

Fix empty rules with other rules semantics:

A port rule with an empty rules list is an implicit allow of the lowest
precedence. Retain this semantic if a pass rule is added either on the
same port, or to the wildcard port. Without this fix the pass rule
processing does not find the (missing) default-allow-rule and the
precedence of the default allow remains at 0, while it should have been
promoted due to the pass rule.

test TLS with deny

Harden TLS test with deny policies. Make sure raw sockets are not allowed
if there is overriding deny policy.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch from 032880a to 29148bb Compare February 24, 2026 09:53
@jrajahalme jrajahalme changed the title Policy pass verdict support 2 Policy: Add pass verdict support Feb 24, 2026
@jrajahalme jrajahalme changed the title Policy: Add pass verdict support Policy: Support NPDS rules with pass verdicts Feb 24, 2026
@jrajahalme
policy: Refactor to simplify
0c4698a 
No functional changes, but easier to read.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch from 29148bb to 0c4698a Compare February 24, 2026 10:03
@jrajahalme jrajahalme requested a review from nezdolik February 24, 2026 10:17
This was referenced Feb 24, 2026
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nezdolik nezdolik Awaiting requested review from nezdolik

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

kind/enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrajahalme